Getting A Network Shell
Well, this is actually a lot easier than it seams, thanks to the work
done by Jeff Mock. The secret is to use an old hacking technique
involving
netcat and bash. Has the light bulb lit yet? If not, here's what
you need to do.
- Getting Netcat
There are two ways you can do this, first off, you can download
Netcat 1.10
for Unix. Apply this patch, and then
compile it using Jeff's toolchain.
# make linux CC=arm-linux-gcc DFLAGS=-DGAPING_SECURITY_HOLE
Or you could just download the binary from me.
You'll also need a copy of netcat for your operating system -- either
compile one on your linux box or track down a windows binary.
- Getting a Wrapper
There is probably an easier way to do this, but this worked on the
first try for me, so I'm sticking with it. Basically, compile the
following code using the arm toolchain. Or you
could grab the compiled binary from me.
#include <stdlib.h>
int main () {
system("/bin/nc -l -p 5000 -e /bin/bash &");
system("/empeg/bin/player.orig");
return 0;
}
|
- Getting Bash
There are several ways to do this. The easiest is to get a hold of
Jeff's
dev-fs-image.tgz file, which contains bash, termcap, and some
other goodies. Otherwise, refer Jeff's site on how to build your
own.
- Install Bash, Netcat, and my Wrapper.
If you've got an NFS server setup, serving the files to the RIO
(again, see Jeff's site if
this is at all confusing), then you would simply do this :
# cd /tftpboot/[ip_address_or_hostname]/
# tar zxvf /[path_to]/dev-fs-image.tgz
# cp /[path_to]/nc bin
# cd empeg/bin
# mv player.orig
# cp /[path_to]/player.
You could also do this, in theory, to the .arf file (that came with
the rio system and contains the NFS directory structure) on your
windows box, and not have to deal with the entire linux-server setup.
However, you'll probably have to go down that route if you're planning
on doing any hacking.
Now for the fun stuff
Now, hard-reboot the rio (unplug it and plug it back in). When the
player comes up, you should have a copy of netcat running in the
background listening to port 5000. You can get the IP address of the
rio by hitting the menu button, then scroll to About Receiver, then
scroll down till you see the IP address listed.. Now you should be
able to connect to it.
# nc [ip_address] 5000
ps aux
PID Uid Gid State Command
1 0 0 S -bash
2 0 0 S [kflushd]
3 0 0 S [kupdate]
4 0 0 S [kpiod]
5 0 0 S [kswapd]
6 0 0 R [rpciod]
7 0 0 S /empeg/bin/player
9 0 0 S bash
10 0 0 S sh -c /empeg/bin/player.orig
11 0 0 S /empeg/bin/player.orig
12 0 0 S /empeg/bin/player.orig
13 0 0 S /empeg/bin/player.orig
14 0 0 S /empeg/bin/player.orig
15 0 0 S /empeg/bin/player.orig
16 0 0 S /empeg/bin/player.orig
17 0 0 S /empeg/bin/player.orig
18 0 0 S /empeg/bin/player.orig
19 0 0 S /empeg/bin/player.orig
20 0 0 S /empeg/bin/player.orig
21 0 0 S /empeg/bin/player.orig
22 0 0 R ps aux
kill 10
ps aux
PID Uid Gid State Command
1 0 0 S -bash
2 0 0 S [kflushd]
3 0 0 S [kupdate]
4 0 0 S [kpiod]
5 0 0 S [kswapd]
6 0 0 S [rpciod]
9 0 0 S bash
23 0 0 R -bash
24 0 0 R ps aux
pwd
/empeg/bin
cat /proc/cpuinfo
Processor : ARM/VLSI arm720 rev 2
BogoMips : 65.33
Hardware : CL-PS7212
cat /proc/empeg_id
hwrev : 02
serial: 09133
build : 00000000
id : 2ef706a2-369b13ae-3faf136f-6c9410e2
ram : 4096K
flash : -1K
dtype : 1
Note that it's really slow to interact with the receiver if the player
application is running, that's why I always kill it. The process ID
always is 10 when I boot up, but your mileage will vary.